Hello everyone, we wanted to bring visibility to the fact that beginning April 12, 2022, access token and authorization codes will be issued with varying lengths to support OAuth specification RFC6749 to avoid clients making assumptions about authorization code and access token values.
Currently, the access token and authorization code sizes are fixed. The current size of the authorization code is shorter than what some security practitioners recommend. Through this change, Auth0 provides a stronger code and token while also improving the performance of Auth0 systems.
Please be sure to check for deprecation notices within your tenant logs for the presence of requests for fixed length access tokens and authorization codes using the log query type:depnote AND description:Authorization
The Auth0 Dashboard advanced settings, there is a toggle that allows customers to disable the fixed size of these credentials to try it out. This setting can be enabled and disabled at will until April 12, 2022, at which point it will be removed and all authorization code and access token lengths will be variable.
Customers with systems configured to rely on specific-sized authorization code and access token lengths must change from fixed-sized to variable-sized configurations before April 12, 2022.
Please let us know if you have any questions!